<html>
<head><meta charset="utf-8"><title>Cargo token disclosure vulnerability · wg-secure-code · Zulip Chat Archive</title></head>
<h2>Stream: <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/index.html">wg-secure-code</a></h2>
<h3>Topic: <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/Cargo.20token.20disclosure.20vulnerability.html">Cargo token disclosure vulnerability</a></h3>

<hr>

<base href="https://rust-lang.zulipchat.com">

<head><link href="https://rust-lang.github.io/zulip_archive/style.css" rel="stylesheet"></head>

<a name="157069865"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/Cargo%20token%20disclosure%20vulnerability/near/157069865" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> briansmith <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/Cargo.20token.20disclosure.20vulnerability.html#157069865">(Jan 29 2019 at 00:23)</a>:</h4>
<p>See <a href="https://github.com/rust-lang/cargo/issues/6545" target="_blank" title="https://github.com/rust-lang/cargo/issues/6545">https://github.com/rust-lang/cargo/issues/6545</a>. To me it looks like the root cause is the lack of association between the token and the expected audience of the token; i.e. the tokens aren't directed or labeled appropriately. It might be something where this group could be useful in coming up with a good long-term solution.</p>



<a name="157070219"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/Cargo%20token%20disclosure%20vulnerability/near/157070219" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Tony Arcieri <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/Cargo.20token.20disclosure.20vulnerability.html#157070219">(Jan 29 2019 at 00:31)</a>:</h4>
<p>audience confusion strikes again</p>



<hr><p>Last updated: Aug 07 2021 at 22:04 UTC</p>
</html>